Skip to content

feat: authorization implementation#3399

Merged
zhaohuabing merged 14 commits intoenvoyproxy:mainfrom
zhaohuabing:authorization-impl
May 29, 2024
Merged

feat: authorization implementation#3399
zhaohuabing merged 14 commits intoenvoyproxy:mainfrom
zhaohuabing:authorization-impl

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented May 15, 2024
edited
Loading

This PR adds gateway API translator, XDS translator, and e2e tests for the Authorization setting of the SecurityPolicy.

Only source IP is supported for now. Other principals such as JWT claims, basic auth, etc. will be supported later.

Fix: #2462
Related: #2250

Example config:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-with-authorization-client-ip
  namespace: gateway-conformance-infra
spec:
  parentRefs:
  - name: same-namespace
  rules:
  - matches:
    - path:
        type: Exact
        value: /protected
    backendRefs:
    - name: infra-backend-v1
      port: 8080
---
      
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-client-ip
  namespace: gateway-conformance-infra
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: http-with-authorization-client-ip
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 10.0.1.0/24
        - 10.0.2.0/24
---

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: enable-client-ip-detection
  namespace: gateway-conformance-infra
spec:
  clientIPDetection:
    xForwardedFor:
      numTrustedHops: 1
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: same-namespace

Test results:

curl -I --header "Host: www.example.com" --header "X-Forwarded-For: 10.0.2.1" http://172.18.255.203:80/protected
HTTP/1.1 200 OK

curl -I --header "Host: www.example.com" --header "X-Forwarded-For: 10.0.3.1" http://172.18.255.203:80/protected
HTTP/1.1 403 Forbidden

@zhaohuabing zhaohuabing requested a review from a team as a code owner May 15, 2024 18:15
@zhaohuabing zhaohuabing marked this pull request as draft May 15, 2024 18:15
@zhaohuabing zhaohuabing force-pushed the authorization-impl branch 20 times, most recently from 53aa011 to 9224aea Compare May 17, 2024 19:01
@zhaohuabing zhaohuabing marked this pull request as ready for review May 17, 2024 21:32
@zhaohuabing
authorization impl
d53caf5 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the authorization-impl branch from 9224aea to d53caf5 Compare May 17, 2024 21:50
@zhaohuabing
use x-forward-for for testing
cf67b78 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the authorization-impl branch from 01f8408 to ac682d9 Compare May 18, 2024 05:24
@zhaohuabing zhaohuabing force-pushed the authorization-impl branch from ac682d9 to f657664 Compare May 18, 2024 06:30
@codecov
Copy link
Copy Markdown

codecov bot commented May 20, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 81.73913% with 42 lines in your changes are missing coverage. Please review.

Project coverage is 67.37%. Comparing base (dd35514) to head (5a37c9e).

Files Patch % Lines
internal/xds/translator/authorization.go 78.01% 16 Missing and 15 partials ⚠️
internal/gatewayapi/securitypolicy.go 90.62% 3 Missing and 3 partials ⚠️
internal/gatewayapi/helpers.go 81.81% 1 Missing and 1 partial ⚠️
internal/gatewayapi/backendtrafficpolicy.go 75.00% 1 Missing ⚠️
internal/xds/translator/local_ratelimit.go 50.00% 0 Missing and 1 partial ⚠️
internal/xds/translator/ratelimit.go 50.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3399      +/-   ##
==========================================
+ Coverage   67.25%   67.37%   +0.11%     
==========================================
  Files         166      167       +1     
  Lines       19722    19914     +192     
==========================================
+ Hits        13265    13418     +153     
- Misses       5503     5522      +19     
- Partials      954      974      +20

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

arkodg
arkodg reviewed May 23, 2024
View reviewed changes
arkodg
arkodg reviewed May 23, 2024
View reviewed changes
arkodg
arkodg reviewed May 23, 2024
View reviewed changes
@zhaohuabing
address comments
471a4d3 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
arkodg
arkodg previously approved these changes May 23, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@arkodg arkodg requested review from a team and removed request for zetaab May 23, 2024 22:10
@zhaohuabing
address comments
9a366b8 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented May 23, 2024
edited
Loading

I am testing this and got error

'Unable to translate authorization rule: invalid CIDR address: 1.2.3.4'

I could apply the configuration fine, but I was wondering why it was not provisioned. I could see that error in securitypolicy status. Just thinking, should it be validated in creation of securitypolicy that ip address contains mask as well?

Good point. I added a regex validation for CIDR. It should prevent most invalid input such as lacking of mask, but still need a second check in gateway API translation for some corner cases.

Otherwise looks good, I have verified and looks like working like should. However, I am just thinking that we might need to split the filter to two different rbac filters? I am thinking like ip policies as first in order, and then others after authentication things like jwt (that we can use jwt information for authorization)?

I actually proposed the same during the API review. :-)

Most gateway implementations have a standalone IP Allow/Deny list. However, some, like the Istio Authorization API, integrate this feature into their Authorization API.

Incorporating the client IP range in the Authorization enables use cases that require a combination of the client IP and other conditions. For instance, " allows admin users access an HTTPRoute from use-west-region, but not from other regions", which is either impossible or significantly challenging to implement with two independent filters.

arkodg
arkodg previously approved these changes May 24, 2024
View reviewed changes
@arkodg arkodg requested review from a team May 24, 2024 16:20
zirain
zirain previously approved these changes May 28, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@zirain zirain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please fix the conflict.

@zhaohuabing
Merge branch 'main' into authorization-impl
4ea40d2 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing dismissed stale reviews from zirain and arkodg via 4ea40d2 May 29, 2024 00:24
@zhaohuabing zhaohuabing requested review from arkodg, zetaab and zirain May 29, 2024 00:26
@zhaohuabing
fix gen check
8a14994 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix lint
5a37c9e 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
zetaab
zetaab reviewed May 29, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@zetaab zetaab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit, otherwise lgtm

api/v1alpha1/shared_types.go

// CIDR defines a CIDR Address range.
// A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
// +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))`
Copy link
Copy Markdown
Contributor

@zetaab zetaab May 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps prettier would be use golang in https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/validation/securitypolicy_validate.go to check that its valid?

Copy link
Copy Markdown
Member Author

@zhaohuabing zhaohuabing May 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's two-level validation, first level is k8s API server, the second level is in gateway API translation in parseCIDR method.

@zhaohuabing zhaohuabing requested a review from zetaab May 29, 2024 16:25
@zhaohuabing zhaohuabing merged commit 8485fc7 into envoyproxy:main May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg arkodg approved these changes

@zirain zirain Awaiting requested review from zirain

+1 more reviewer

@zetaab zetaab zetaab approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Allow/Deny IP Subnets

5 participants

@zhaohuabing @zufardhiyaulhaq @zetaab @zirain @arkodg